Date: Wed, 5 Feb 2020 16:09:21 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r357574 - head/sys/kern Message-ID: <202002051609.015G9Lug027794@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Wed Feb 5 16:09:21 2020 New Revision: 357574 URL: https://svnweb.freebsd.org/changeset/base/357574 Log: Avoid releasing object PIP in vn_sendfile() if no pages were grabbed. sendfile(2) optionally takes a set of headers that get prepended to the file data. If the request length is less than that of the headers, sendfile may not allocate an sfio structure, in which case its pointer is null and we should be careful not to dereference. This was introduced in r356902. Reported by: syzkaller Sponsored by: The FreeBSD Foundation Modified: head/sys/kern/kern_sendfile.c Modified: head/sys/kern/kern_sendfile.c ============================================================================== --- head/sys/kern/kern_sendfile.c Wed Feb 5 16:09:02 2020 (r357573) +++ head/sys/kern/kern_sendfile.c Wed Feb 5 16:09:21 2020 (r357574) @@ -1060,8 +1060,10 @@ prepend_header: * we can send data right now without the * PRUS_NOTREADY flag. */ - vm_object_pip_wakeup(sfio->obj); - free(sfio, M_TEMP); + if (sfio != NULL) { + vm_object_pip_wakeup(sfio->obj); + free(sfio, M_TEMP); + } #ifdef KERN_TLS if (tls != NULL && tls->mode == TCP_TLS_MODE_SW) { error = (*so->so_proto->pr_usrreqs->pru_send)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002051609.015G9Lug027794>